Board logo

标题: [分享] oracle之远程数据投毒漏洞(CVE-2012-1675)修复 [打印本页]

作者: hacked    时间: 2018-12-7 13:09     标题: oracle之远程数据投毒漏洞(CVE-2012-1675)修复

CVE-2012-1675漏洞是Oracle允许攻击者在不提供用户名/密码的情况下,向远程“TNS Listener”组件处理的数据投毒的漏洞。

举例:攻击者可以在不需要用户名密码的情况下利用网络中传送的数据消息(包括加密或者非加密的数据),如果结合(CVE-2012-3137漏洞进行密码破解)从而进一步影响甚至控制局域网内的任何一台数据库。

COST 是class of secure transports 的缩写。是为了控制实例注册提供的一种安全控制机制。其作用是对于一个确定的listener,限制哪些实例通过哪些协议可以进行注册。这将避免有其他远程实例进行恶意注册,并由此产生信息泄露等风险。
它通过在 listner.ora中设置参数SECURE_REGISTER_listener_name的值,指定为一个transport list(限定的注册协议列表,如IPC、TCP、TCPS)来实现这一功能。 该功能从 10.2.0.3 版本开始支持(虽然10g R2的在线文档中并未明确说明),一直到11.2.0.4版本及之后依然可用。但是,在11.2.0.4后,oracle建议使用默认的VNCR配置。

此配置可以解决oracle之远程数据投毒漏洞(CVE-2012-1675)

配置方式:

  一、使用TCP协议设置COST限制注册本地实例

    1、在listener.ora增加"SECURE_REGISTER_listener_name = (TCP)"

      LISTENER_PROD =
        (DESCRIPTION_LIST =
          (DESCRIPTION =(ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
        )
      )

      SECURE_REGISTER_LISTENER_PROD = (TCP)


    2、重启监听
      $ lsnrctl stop
      $ lsnrctl start


  二、使用IPC协议设置COST限制注册本地实例

    1、停止监听

      $ lsnrctl stop


    2、在listener.ora增加"SECURE_REGISTER_listener_name = (IPC)"

      LISTENER_PROD =
        (DESCRIPTION_LIST =
          (DESCRIPTION =

            (ADDRESS = (PROTOCOL = IPC)(KEY = REGISTER))
            (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))
          )
        )

      SECURE_REGISTER_LISTENER_PROD = (IPC)


    3、启动监听

      $ lsnrctl start



验证方式:

  1. 注释相关设置,重启listener

    LISTENER_PROD =

      (DESCRIPTION_LIST =

        (DESCRIPTION =

          (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))

        )

      )

    # SECURE_REGISTER_LISTENER_PROD = (TCP)



  2. 修改系统参数remote_listener

    $ sqlplus "/ as sysdba"



SQL*Plus: Release 10.2.0.5.0 - Production on Fri May 4 10:11:27 2012

Connected to:

Oracle Database 10g Enterprise Edition Release 10.2.0.5.0 - 64bit Production

With the Partitioning, OLAP, Data Mining and Real Application Testing options



SQL> show parameter remote_listener;



NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

remote_listener string





    SQL> alter system set remote_listener='(ADDRESS=(PROTOCOL=TCP)(HOST=netfl-bde)(PORT=1551))' scope=memory;



System altered.



  3. 查看listener的service中有“REMOTE SERVER”

    LSNRCTL> services listener_prod

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC2)))

Services Summary...

Service "N102.us.oracle.com" has 1 instance(s).

Instance "N102", status READY, has 1 handler(s) for this service...

Handler(s):

"DEDICATED" established:0 refused:0 state:ready

REMOTE SERVER

(ADDRESS=(PROTOCOL=TCP)(HOST=mes2)(PORT=1521))

The command completed successfully



  4. 删除listener.ora的注释,重启listener

    LISTENER_PROD =

      (DESCRIPTION_LIST =

        (DESCRIPTION =

        (ADDRESS = (PROTOCOL = TCP)(HOST = netfl-bde)(PORT = 1551))

      )

    )

    SECURE_REGISTER_LISTENER_PROD = (TCP)

    开启远程注册协议限定,限定来自主机netfl-bde的连接客户端只能通过TCP协议、走1551端口才能访问数据库实例



  5. 强制注册remote listener

    SQL> alter system register;



System altered.



  6. 先重启listener,再检查listener的service中是否有“REMOTE SERVER”

    [oracle@bde]$ lsnrctl

LSNRCTL for Linux: Version 11.2.0.2.0 - Production on 04-MAY-2012 10:42:57
Copyright (c) 1991, 2010, Oracle. All rights reserved.

Welcome to LSNRCTL, type "help" for information.

LSNRCTL> services listener_prod
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC2)))
The listener supports no services
The command completed successfully



  7. 查看listener日志,会出现TNS-01194拒绝注册的信息

    $ tail /u01/app/oracle/product/11.2.0.2/network/log/listener.log



04-MAY-2012 10:43:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=netfl-bde)(USER=oracle))

(COMMAND=services)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=186647040)) * services * 0



04-MAY-2012 10:43:05 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport



04-MAY-2012 10:44:05 * service_register_NSGR * 1194

TNS-01194: The listener command did not arrive in a secure transport



  8. 验证完成,清除系统参数remote_listener设置

    SQL> alter system set remote_listener='' scope=memory;



System altered.




最详注解

  http://blog.itpub.net/17997/viewspace-763695/

  https://blog.csdn.net/wengtf/article/details/46632405

非rac操作:

  https://blog.csdn.net/brj880719/article/details/53158507

  https://www.linuxidc.com/Linux/2016-09/135428.htm

问题说明:

  http://blog.itpub.net/17997/viewspace-763695/

COST说明:

  https://blogs.oracle.com/databas ... cure-transport-cost

来源:https://www.cnblogs.com/chendeming/p/9087493.html




欢迎光临 全球被黑站点统计系统论坛 - Hacked.com.cn (http://forum.hacked.com.cn/) Powered by Discuz! 7.2